Logging POST requests with Apache

Thu 21 October 2010

After getting a flood of spam, I became suspicious that there was an
exploit in my blog software allowing easy robo-posts. Despite a code
audit I couldn't see anything, and thus wanted to log the incoming POST
requests before any local processing at all.

It took me a while to figure out how to do this, hopefully this helps
someone else. Firstly install libapache-mod-security, then the magic
incarnation is

So, to break it down a little, the default action says to do nothing
during phase 2 (when the body is available for inspection); the allow
means that we're indicating that nothing further will happen in any of
the remaining phases, so the module can shortcut through them. The two
SecRules work together -- the first says that any POST requests should
be tested by the next rule (i.e. the chained rule), which in this
case says that any request should be sent to the audit log. After that,
the similar allow/phase argument again says that nothing further is
going to happen in any of the subsequent phases mod_security can work
on. As per the parts between A and Z, we'll log the headers, the
request body, the final response and trailer.

So, as it turns out, there is no exploit; it seems most likely there is
an actual human behind the spam that gets through, because every time
they take a guess it is correct. So I guess I'll take a glass-half-full
kind of approach and rather than being annoyed at removing the spam,
I'll just convince myself that I made a small donation from some spam
overlord to one of their poor minions!